ACS 5.3 Accounting

Similar Messages

• 1. TACAS+ Accounting and Logged in Users report is not working on ACS 4.1(1

  Hi,
  I am facing problem with ACS 4.1 accounting, TACAS+ Accounting and Logged in Users report are not working, the csv file is been generated but nothing is showened in the file.
  I have checked the documents related to ACS 4.1, it says that there is a bug related to command accounting “CSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23”.
  Tried upgrading the same with the patch applAcs-4.1.1.23.3.zip, still it is not working.
  Other reports are working fine.
  1. TACAS+ Accounting - not working
  2. Logged in Users - not working
  3. TACAS+ Administration - working
  4. Passed Authentication - working
  5. Failed Attempts - working
  Any suggestions or any idea, please revert.
  Regards
  Vineet

  Hi,
  Thanks
  Yes I have configured the command “aaa accounting exec default start-stop group tacacs+”
  As I have mentioned all the other reports are working. Which user and when he has logged in and what commands he has used. Only the TACAS+ Accounting and logned user is not working.
  Regards,
  Vineet

• Password Aging & Account Lockout in ACS 4.2

  I have a requirement that in ACS the  user accounts should get disabled after 1 day , so in the group setting under the Password Aging Field I configured the same as 1 day , the Grace & Warning Period is 0 days
  I want that all these user accounts would be active for 30 days , and the moment the account is used (i.e the Start Message appears in the Radius Accounting ) then after 1 day  from the usage then as per the Password Aging Rule the account should get expired.
  Now my query is this password aging rule will start from the day I create the account in the ACS or from the day the user logs in.
  I don’t want to use the Account Lockout Tab as I don’t know when the guest account would be used.
  Request someone to help pls clarify my doubt.
  Regards

  Hi Yusuf,
  Password Aging on ACS will just prompt to change the password. it will not disable the account.
  The Account is present on the AD. So the Disabling and lockout features for an account will come from the AD.
  I don't think a change in password for a guest account is what you would want to do.
  Also according to me disabling the account should be a feature only for the AD admin and not open. A lockout can definately happen but that also has to be defined on the AD.
  The link to password Aging on ACS is as follows:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp525115
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this string as answered if you feel the query is answered.

• ACS 5.3 - how to join to domain

  Hello,
  can anybody clarify me how it is possible join ACS 5.3 to windows domain?
  from cisco doc:
  Active Directory Domain Name: Name of the AD domain to join ACS to.
  Username: Predefined user in AD. AD account required for domain access in ACS should have either of
  the following:
  • Add workstations to domain user right in corresponding domain.
  • Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).
  Password: Enter the user password. The password should have minimum of 8 characters with the combination of atleast one lower case alphabet, one upper case alphabet, one numeral, and one special character. All special characters are supported.
  That means:
  - Active directory must be windows DOMAIN name, or AD-server dns name?
  - username must be domain user, or domain administrator?
  another settings:
  - time on ad-server and acs must be synced (I'm using the same NTP)
  - ip name-server for acs must be AD-server?
  I can't join ACS to ad-domain. error message is 'can not resolve network address', but from acs-cli it is possible. where can be a problem?
  martin

  Hi there,
  In the Active Directory Domain Name field you enter the domain name, for example: cisco.com
  The username field, it will be better if you try with a domain admin account, otherwise you can use a domain user but with privilege enough to add/delete computer objects.
  The time zone and clock must be synchronized using NTP or manual clock configuration should work as well.
  The ip name-server must be your DNS server, if your AD-server is the same DNS then use the AD-server.

• User Password Not Replicated during ACS Replication

  I am provisioning user accounts in ACS through a provisioning system. The provisioned ACS is set to replicate user and group database to another ACS. Replication interval time is set to 15 mins.
  Problem is that even though the replication cycle runs every 15 mins, if no user is added or deleted, the pre-checks determine that outbound replication is not required and cycle is completed. Hence, if user's password change, they are not replicated to other ACS and in case the authentication request goes to the other ACS then it fails. Manual replication is fine.
  How to make sure replication is run even in case of user password change and not just when a user is added or removed.

  Hi,
  What is the acs ver ? Are the user accounts you are referring to stored? i.e. are the local to the ACS server itself, or are they defined in an external user database (e.g. Active Directory, LDAP, etc.)?
  Users defined via Active Directory are dynamically mapped to a user account in ACS and this account information is typically not replicated since the users created are dynamic and can change properties based on
  configuration/changes in Active Directory itself.
  Regards,
  Jagdeep

• ASA enable mode with ACS

  Hi
  When I SSH to my ASA is there anyway to go straight to enable mode? We use RSA SecurID which means I have to wait for the token to change before I go into enable mode at the moment.
  ASA config:
  aaa authentication ssh console CISCO-ACS LOCAL
  aaa authentication serial console CISCO-ACS LOCAL
  aaa authentication http console CISCO-ACS LOCAL
  aaa authorization command CISCO-ACS LOCAL
  aaa accounting enable console CISCO-ACS
  aaa accounting serial console CISCO-ACS
  aaa accounting ssh console CISCO-ACS
  aaa accounting command CISCO-ACS
  ACS config (Group Level)
  Privilege level 15
  Read/write command authorisation set
  Thanks

  Unfortunately that is not possible as ASA does not support Exec Authorization.
  Regards,
  ~JG
  Do rate helpful posts

• ACS with WLC

  Dear All,
           I have one question and i was struck in that.  We have SSO with AD and Other Guest Wireless SSID.  Guest SSID will be authenticate with ACS local user account. 
           My problem is that when i was create one user in ACS that user can login more than 1 system at same time.  Can i restrict this user to access wireless for one system only not more than one.
            Anybody try before this or not.  Please if anybody done can you share with me.
  Note:-  I create local user in ACS and that user will be able to login Guest wireless SSID, this user should login only system only not more than one system.
  Thanks.

  ISE is much more expensive and if your just wanting to do radius, even using a Microsoft radius can be used. ISE does have more features if you need more than just radius features too. ISE hopefully will replace ACS, but when. It will first need to really and truly support tacacs first. That is one big reasons people still need ACS is for tacacs.
  Sent from Cisco Technical Support iPhone App

• ACS Radius + Peap + MSChapV2

  I am using a wireless setup
  Aironet 1100, ACS 4.0, 3rd party Client adapter
  I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
  Doubts: In ACS logs - Radius accounting is empty.
  Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
  But i am able to authenticate my users successfully into the wireless network. What went wrong?

  Hi
  Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
  For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
  Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
  Darran

• ACS with Tivoli Identity Manager

  Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?

  Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.

• IP Pool assigned by the ACS

  Hi,
  We are implementing the VPN 3015 Concentrator and using ACS to assign IPs to the VPN clients. Want to use 10.200.200.0/24 subnet as a pool, but I can not find the way to assign the right mask. I guess, the ACS detects that this is a class A network and assigns 255.0.0.0 mask to the clients. Is there any way to hardcode it to 255.255.255.0?
  Thank you,
  Evgueni

  It is recommended to reconfigure the settings in the VPN concentrator and the ip pools on the ACS:
  On the VPN Concentrator, choose Configuration > System > Address Management > Assignment > Use Address from Authentication Server > Apply in order to choose the authentication server option for IP address assignment.
  On the Cisco VPN 3000 Concentrator, choose Configuration > System > Servers > Accounting Servers.
  Add the details for the ACS in order to specify the ACS as an Accounting Server. This allows the ACS to see what IP addresses are in use and assign free IP addresses.
  In the ACS, go into either the User Setup or the Group Setup in order to provide the IP address.
  Choose VPN Client IP Address Assignment.
  Choose Assigned from AAA server pool. An IP address pool on the Authentication Authorization Accounting (AAA) server assigns the IP address.

• ACS Command line login..

  Hi
  I have a superadmin account in ACS.
  with this account i can able to login GUI but can't able to login CLI mode.
  what could be the problem ?

  Hello Tony,
  The ACS GUI Administrator accounts and CLI Administrator accounts are different. You cannot login with GUI accounts into CLI.
  You need to use CLI created accounts to access the ACS command line. You should have created one when first installing the ACS 5.x.
  If this was helpful please rate.

• TACACS+ Accounting "Network Access Profile" name is missing

  Hello,
  I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2
  In the document http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/guide/appendixA.html Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.
  Is this some bug in ACS View or ACS or maybe I simply missing something?;)
  Best Regards,
  Igor

  Cisco created a new bug for it:
  CSCtq85420
  Best Regards,
  Igor

• ACS 5.6 intergration with Windows AD

  Hi All,
  kindly help me to integrate  Cisco ACS5.6 to AD. Now I am migrating Cisco ACS4.2 to 5.6.
  What type of Account & should be created in Windows AD for the integration. Whether this account should support 128 Bit password.
  Also the user should be under which user group.
  Regards,
  Arun

  Hello Arun-
  Here are the requirements for the ACS AD account:
  Enter the username of a predefined AD user. An AD account which is required for the domain access in ACS, should have either of the following:
  - Add workstations to the domain user in the corresponding domain.
  - Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).
  - Cisco recommends that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the administrator if a wrong password is used for that account. This is because, if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/users_id_stores.html
  Thank you for rating helpful posts!

• ADFS SSO and SharePoint 2013 on-premise Hybrid outbound search results from SharePoint Online - does it work?

  Hi, 
  I want to setup an outpund hybrid search for SharePoint 2013 on-premise to SharePoint Online.
  But I'm not shure if this works with ADFS SSO.
  Has somebody experience with this setup?
  Here's my guide which I'm going to use for this installation:
  Introduction
  In this post I'll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.
  Requirements
  User synchronisation ActiveDirectory to Office 365 with DirSync
  DirSync password sync or ADFS SSO
  SharePoint Online
  SharePoint 2013 on-premise
  Enterprise Search service
  SharePoint Online Management Shell
  Instructions
  All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.
  Set up Sever to Server Trust
  Export certificates
  To create a server to server trust we need two certificates.
  [certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.
  [certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.
  First launch the Internet Information Services (IIS) Manager
  Select your SharePoint web server and double-click Server Certificates
  In the Actions pane, click Create Self-Signed Certificate
  Enter a name for the certificate and save it with OK
  To export the new certificate in the Pfx format select it and click Export in the Actions pane
  Fill the fields and click OK Export to: C:\[certificate
  name].pfx Password: [password]
  Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate select it and click on View...
  Click the Details tab and then click Copy to File
  On the Welcome to the Certificate Export Wizard page, click Next
  On the Export Private Key page, click Next
  On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
  As file name enter C:\[certificate
  name].cer and then click Next
  Finish the export
  Import the new STS (SharePoint Token Service) certificate
  Let's update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  $X64CertPath = "c:\[certificate name].cer"
  # get the encrypted pfx certificate object
  $PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # import it
  Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert
  Type Yes when prompted with the following message.
  You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer
  to the following article for instructions on how to change this certificate: http://go.microsoft.com/fwlink/?LinkID=178475. Are you
  sure, you want to continue?
  Restart IIS so STS picks up the new certificate.
  & iisreset
  & net stop SPTimerV4
  & net start SPTimerV4
  Now validate the certificate replacement by running several PowerShell commands and compare their outputs.
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  # get the encrypted pfx certificate object
  New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # compare the output above with this output
  (Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
  [/code]
  ## Establish the server to server trust
  [code lang="ps"]
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  Import-Module MSOnline
  Import-Module MSOnlineExtended
  # set the cerficates paths and password
  $PfxCertPath = "c:\[certificate name].pfx"
  $PfxCertPassword = "[password]"
  $X64CertPath = "c:\[certificate name].cer"
  # set the onpremise domain that you added to Office 365
  $SPCN = "sharepoint.domain.com"
  # your onpremise SharePoint site url
  $SPSite="http://sharepoint"
  # don't change this value
  $SPOAppID="00000003-0000-0ff1-ce00-000000000000"
  # get the encrypted pfx certificate object
  $PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
  # get the raw data
  $PfxCertBin = $PfxCert.GetRawCertData()
  # create a new certificate object
  $X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
  # import the base 64 encoded certificate
  $X64Cert.Import($X64CertPath)
  # get the raw data
  $X64CertBin = $X64Cert.GetRawCertData()
  # save base 64 string in variable
  $CredValue = [System.Convert]::ToBase64String($X64CertBin)
  # connect to office 3656
  Connect-MsolService
  # register the on-premise STS as service principal in Office 365
  # add a new service principal
  New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
  $MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
  $SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
  $SPServicePrincipalNames.Add("$SPOAppID/$SPCN")
  Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames
  # get the online name identifier
  $MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
  $MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
  $MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"
  # establish the trust from on-premise with ACS (Azure Control Service)
  # add a new authenticatio realm
  $SPSite = Get-SPSite $SPSite
  $SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
  Set-SPAuthenticationRealm -realm $MsolServicePrincipalID
  # register the ACS application proxy and token issuer
  New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup
  New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"
  Add a new result source
  To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don't forget to update the settings region
  if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
  # region settings
  $RemoteSharePointUrl = "http://[example].sharepoint.com"
  $ResultSourceName = "SharePoint Online"
  $QueryTransform = "{searchTerms}"
  $Provier = "SharePoint-Remoteanbieter"
  # region settings end
  $SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
  $FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
  $SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa
  $ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
  if(!$ResultSource){
  Write-Host "Result source does not exist. Creating..."
  $ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)
  $ResultSource.Name = $ResultSourceName
  $ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
  $ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl
  $ResultSource.CreateQueryTransform($QueryTransform)
  $ResultSource.Commit()
  Add a new query rule
  In the Search Administration click on Query Rules
  Select Local SharePoint as Result Source
  Click New Query Rule
  Enter a Rule name f.g. Search results from SharePoint Online
  Expand the Context section
  Under Query is performed on these sources click on Add Source
  Select your SharePoint Online result source
  In the Query Conditions section click on Remove Condition
  In the Actions section click on Add Result Block
  As title enter Results for "{subjectTerms}" from SharePoint Online
  In the Search this Source dropdown select your SharePoint Online result source
  Select 3 in the Items dropdown
  Expand the Settings section and select "More" link goes to the following URL
  In the box below enter this Url https://[example].sharepoint.com/search/pages/results.aspx?k={subjectTerms}
  Select This block is always shown above core results and click the OK button
  Save the new query rule

  Hi  Janik,
  According to your description, my understanding is that you want to display hybrid search results in SharePoint Server 2013.
  For achieving your demand, please have a look at the article:
  http://technet.microsoft.com/en-us/library/dn197173(v=office.15).aspx
  If you are using single sign-on (SSO) authentication, it is important to test hybrid Search functionality by using federated user accounts. Native Office 365 user accounts and Active Directory Domain Services
  (AD DS) accounts that are not federated are not recognized by both directory services. Therefore, they cannot authenticate using SSO, and cannot be granted permissions to resources in both deployments. For more information, see Accounts
  needed for hybrid configuration and testing.
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• How to Make Fields in Field Catalog Mandatory

  Hi Gurus,
  I want to Make Some Fields In Field Catalog Mandatory and Some should be Non Mandatory Can u please help me out as soon as u can.
  Regards
  Deep Gaur

  Hi,
  IF you can specify which Field Catalog then it will be useful for us to provide appropriate answer.
  1. For Customer Master
  IMG> Financial Accounting New> Acs Recev and Acs Payable --> Customer Accounts --> Master Data --> Preperation of creating customer master Data --> Define Account Groups with screen layout (customers)
  In that you can create your own account group, and click Details Screen.
  There will Field Status header within that are listed three main areas
  General data
  Company code data
  Sales data
  When you double click these lines it will take you into "Status Group" Overview. Wherein under "Select Group" are listed fields Address, communiucation.... Double click on one group , you will bet aken into the group field wherein you will find 4 colums with indicators assigned to it. ( Suppress, Req. Entry, Opt Entry, Display) you can choose the required option. "Req. Entry" against the field. Click save after you complete your selections.
  2. Similarly you can do for Material Master in
  IMG --> Logistics General --> Material Master --> Field Selection --> Maintain Field Selection for Data Screens
  But be careful when you do it for material master as it is cuts across all the modules...
  Regards
  Sathya